In building my resume review SaaS tailored for students and 転職活動 (career change) seekers in Japan, I faced a simple question:

"How do I restrict access to just students without relying on official university logins or SheerID?"

A lot of companies solve this using school issued IDs, OAuth through G Suite for Education, or even SheerID verification. But all of those come with integration complexity, potential friction, and worst of all kill the speed and ease of my UX.

So I built something better.

✅ The Goal: Students Only Access With Just an Email

My signup form asks for a university email. That’s it. If your domain is a real school, you’re in. If it’s not, you’re blocked. No ID upload. No OAuth. No API dependency.

⚙️ The Stack

  • Backend: Node.js (NestJS)
  • Database: Firestore (for whitelist and blacklist)
  • External Tools:
    • WHOIS lookup
    • OpenAI GPT API
  • No SheerID. No OAuth. No .edu requirement

💡 The Logic

  1. User submits an email like [email protected]
  2. I extract the domain: s.chibakoudai.jp
  3. Check my Firestore whitelist and blacklist
  4. If unknown, use WHOIS and GPT to verify

🔍 WHOIS and GPT Magic

If the domain isn’t already in my whitelist, I check WHOIS to get metadata like:

  • Organization name
  • Registrant info
  • Domain category (often .ac.jp, .edu, etc.)

Then I feed that WHOIS data into ChatGPT with a prompt like:

"Is this domain associated with an educational institution? Just return Yes or No."

If GPT says yes → ✅ add to whitelist

If GPT says no → ❌ add to blacklist and block the user

✨ Example Code Snippet 

const whoisData = await lookupWhois(domain);
const prompt = `Is this domain from a university or educational institution?\n\nWHOIS:\n${whoisData}`;

const gptResult = await openai.chat.completions.create({
  model: 'gpt-4',
  messages: [{ role: 'user', content: prompt }],
});

const isSchool = gptResult.choices[0].message.content.includes('Yes');

🧠 Why It Works

  • Fast UX — Users don’t need to upload IDs or register school portals
  • Self expanding list — My whitelist grows automatically as GPT verifies new domains
  • Low Cost — GPT and WHOIS is cheaper and faster than commercial APIs

🔐 What About Abuse

  • Domains like gmail.com or yahoo.co.jp get instantly rejected
  • Once flagged, a domain is blacklisted and denied forever
  • This isn’t a hardcore identity proof — it’s smart friction

🚀 Outcome

  • Zero authentication integrations
  • Super smooth UX
  • Only real students can register
  • No need to deal with Japanese school bureaucracy (trust me, that’s worth it)

🤖 TLDR

I used WHOIS and GPT to check if an email domain belonged to a school and whitelist it automatically. No OAuth. No ID. Just a clever prompt and database check. Lightweight, fast, and clean.

If you want to implement this or have questions, feel free to drop a comment. Happy to share the logic in more detail

And if you’re working on an AI SaaS and want to avoid auth complexity this might be the easiest "student only" gate you'll ever build.